Allow JSON Web Keys that don't specify an explicit "use" and add Slack to the list of supported providers

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs

@@ -110,6 +110,11 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                     context.Configuration.GrantTypesSupported.Add(GrantTypes.Implicit);
                 }
 
+                else if (context.Registration.ProviderName is Providers.Slack)
+                {
+                    context.Configuration.GrantTypesSupported.Add(GrantTypes.RefreshToken);
+                }
+
                 return default;
             }
         }

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs

@@ -710,6 +710,14 @@ public static partial class OpenIddictClientWebIntegrationHandlers
                 context.Request["duration"] = options.Duration;
             }
 
+            // Slack allows sending an optional "team" parameter to simplify the login process.
+            else if (context.Registration.ProviderName is Providers.Slack)
+            {
+                var options = context.Registration.GetSlackOptions();
+
+                context.Request["team"] = options.Team;
+            }
+
             return default;
         }
     }

src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml

@@ -345,6 +345,21 @@
              Description="The value used as the 'duration' parameter (can be set to 'permanent' to retrieve a refresh token)" />
   </Provider>
 
+  <!--
+                                              ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
+                                              ██ ▄▄▄ ██ ████ ▄▄▀██ ▄▄▀██ █▀▄██
+                                              ██▄▄▄▀▀██ ████ ▀▀ ██ █████ ▄▀███
+                                              ██ ▀▀▀ ██ ▀▀ █ ██ ██ ▀▀▄██ ██ ██
+                                              ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
+  -->
+
+  <Provider Name="Slack" Documentation="https://api.slack.com/authentication/sign-in-with-slack">
+    <Environment Issuer="https://slack.com/" />
+
+    <Setting PropertyName="Team" ParameterName="team" Type="String" Required="false"
+             Description="The value used as the 'team' parameter (allowing to bypass the login screen if the user is already authenticated in the specified workspace)" />
+  </Provider>
+
   <!--
                                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                                       ██ ▄▄▄ ██ ▄▄ ██ ▄▄▄ █▄▄ ▄▄█▄ ▄██ ▄▄▄██ ███ ██

src/OpenIddict.Client/OpenIddictClientHandlers.Discovery.cs

@@ -912,13 +912,17 @@ public static partial class OpenIddictClientHandlers
 
                 for (var index = 0; index < keys.Count; index++)
                 {
-                    // Note: the "use" parameter is defined as optional by the specification.
+                    // Note: the "use" parameter is defined as optional by the JWKS specification
-                    // To prevent key swapping attacks, OpenIddict requires that this parameter
+                    // but is required by the OpenID Connect discovery specification if both signing
-                    // be present and will ignore keys that don't include a "use" parameter.
+                    // and encryption keys are present in the returned list. If the "use" parameter
+                    // is not explicitly specified or has an empty value, assume it is a signing key.
+                    //
+                    // For more information, see https://www.rfc-editor.org/rfc/rfc7517#section-4.2
+                    // and https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.
                     var use = (string?) keys[index][JsonWebKeyParameterNames.Use];
                     if (string.IsNullOrEmpty(use))
                     {
-                        continue;
+                        use = JsonWebKeyUseNames.Sig;
                     }
 
                     // Ignore security keys that are not used for signing.

src/OpenIddict.Validation/OpenIddictValidationHandlers.Discovery.cs

@@ -511,13 +511,17 @@ public static partial class OpenIddictValidationHandlers
 
                 for (var index = 0; index < keys.Count; index++)
                 {
-                    // Note: the "use" parameter is defined as optional by the specification.
+                    // Note: the "use" parameter is defined as optional by the JWKS specification
-                    // To prevent key swapping attacks, OpenIddict requires that this parameter
+                    // but is required by the OpenID Connect discovery specification if both signing
-                    // be present and will ignore keys that don't include a "use" parameter.
+                    // and encryption keys are present in the returned list. If the "use" parameter
+                    // is not explicitly specified or has an empty value, assume it is a signing key.
+                    //
+                    // For more information, see https://www.rfc-editor.org/rfc/rfc7517#section-4.2
+                    // and https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata.
                     var use = (string?) keys[index][JsonWebKeyParameterNames.Use];
                     if (string.IsNullOrEmpty(use))
                     {
-                        continue;
+                        use = JsonWebKeyUseNames.Sig;
                     }
 
                     // Ignore security keys that are not used for signing.